The Sapphire Worm was the fastest spreading computer worm in history. It spread throughout the Internet and infected most of the vulnerable hosts that could be found within ten minutes.

The worm (also called Slammer, SQLSlammer, W32.Slammer) began at almost exactly 5:30 AM (UTC) on Saturday January 25th and spread by infecting copies of Microsoft SQL Server and MSDE 2000 (Microsoft SQL Server Desktop Engine) that were exposed to the Internet.

About Sapphire

(excerpted from CERT Advisory CA-2003-04 MS-SQL Server Worm)
The worm targeting SQL Server computers is self-propagating malicious code that exploits the vulnerability described in VU#484891 (CAN-2002-0649). This vulnerability allows for the execution of arbitrary code on the SQL Server computer due to a stack buffer overflow.

Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376-bytes and send them to randomly chosen IP addresses on port 1434/udp. If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to propagate. Beyond the scanning activity for new hosts, the current variant of this worm has no other payload.

Activity of this worm is readily identifiable on a network by the presence of 376-byte UDP packets. These packets will appear to be originating from seemingly random IP addresses and destined for port 1434/udp.